Data Processing Agreement

1. Definitions

Terms used in this DPA have the meanings given in the UK GDPR and the Data Protection Act 2018, including “personal data”, “processing”, “controller”, “processor”, “data subject”, and “supervisory authority”.

“Applicable Data Protection Laws” means the UK GDPR, Data Protection Act 2018, and any successor or equivalent legislation.

2. Roles

In respect of personal data you submit to the DeclareHQ platform for the purposes of preparing and submitting customs declarations, managing shipments, and similar activities, you are the Controller and we are the Processor.

In respect of account data, billing data, and usage data collected directly by us, we act as an independent Controller (see our Privacy Policy).

3. Subject Matter, Duration, Nature, and Purpose

• Subject matter — provision of the DeclareHQ platform and related services.
• Duration — for the term of your subscription plus any retention period required by law.
• Nature and purpose — storing, transmitting, and processing declaration content, shipment data, client records, and documents on your instructions to enable customs clearance workflows.
• Types of personal data — names and business contact details of importers, exporters, consignees, agents, and your own users; EORI numbers; shipment and declaration content; documents you upload.
• Categories of data subjects — your users, your clients, and contacts named in your customs records.

4. Processor Obligations

When processing personal data on your behalf, we will:

• Process personal data only on your documented instructions, including the instructions implicit in your use of the platform. If we believe an instruction infringes Applicable Data Protection Laws, we will notify you.
• Ensure that personnel authorised to process personal data are under an obligation of confidentiality.
• Implement appropriate technical and organisational measures as described in Clause 7.
• Engage sub-processors only under Clause 5.
• Assist you in fulfilling data-subject requests and data-protection obligations (DPIAs, consultations with supervisory authorities, etc.).
• Notify you without undue delay of any personal data breach affecting your data.
• On termination, delete or return all personal data, at your choice, save where law requires continued retention.
• Make available to you all information necessary to demonstrate compliance with this DPA and allow for audits on reasonable notice.

5. Sub-processors

You provide general written authorisation for us to engage sub-processors. Our current sub-processors include:

• Supabase — database, authentication, and storage (EU region).
• Vercel — application hosting and serverless functions.
• Stripe — payment processing.
• Amazon Web Services — transactional email delivery (SES) and supporting infrastructure.
• HMRC — final recipient of customs declarations you submit. HMRC is an independent controller in respect of data you submit for customs purposes.

We will inform you at least 30 days in advance of any intended changes to our sub-processors. You may object to a change; if we cannot reasonably accommodate your objection you may terminate the affected services without penalty.

6. International Transfers

Our primary infrastructure is hosted in the UK/EEA. Where any transfer of personal data outside the UK is necessary, we rely on an adequacy decision, the UK International Data Transfer Agreement, or EU Standard Contractual Clauses as appropriate.

7. Security Measures

We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:

• TLS encryption for data in transit.
• AES-256-GCM encryption for sensitive data at rest (e.g. HMRC OAuth tokens and integration credentials).
• Row-level security policies on the database.
• Role-based access control with multi-factor authentication for privileged accounts.
• Audit logging of data access and administrative actions.
• Secure software development practices, dependency monitoring, and periodic security review.
• Regular backups and documented disaster-recovery procedures.

8. Data-Subject Requests

We will promptly forward any data-subject request we receive that relates to your Controller data. We will also assist you, where necessary and reasonable, to respond to such requests via platform features and data exports.

9. Personal Data Breach Notification

We will notify you of any personal data breach affecting your Controller data without undue delay and, where feasible, within 72 hours of becoming aware. Our notification will describe the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Audit Rights

We will provide information necessary to demonstrate compliance with this DPA. You may audit our compliance on reasonable prior notice, no more than once per year (unless required more often by a supervisory authority), during business hours, and subject to appropriate confidentiality arrangements. Where available, we may satisfy audit requirements by providing third-party audit reports (e.g. SOC 2, ISO 27001 attestations from our sub-processors).

11. Return and Deletion of Data

On termination or expiry of your subscription, you may request an export of your Controller data in a machine-readable format within 30 days. After this period, we will delete your data from our active systems, save for backups retained for up to 90 days as part of our standard business-continuity practices.

12. Liability

The liability of each party under this DPA is subject to the liability cap and exclusions set out in the Terms of Service, save that nothing in this DPA or the Terms of Service excludes or limits liability that cannot be excluded or limited under Applicable Data Protection Laws.

13. Governing Law

This DPA is governed by the laws of England and Wales. Disputes arising under it are subject to the exclusive jurisdiction of the courts of England and Wales.